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November  6,  2002 


MEMORANDUM  FOR  DIRECTOR,  DEFENSE  CONTRACT  AUDIT  AGENCY 

DIRECTOR,  DEFENSE  CONTRACT  MANAGEMENT 
AGENCY 


SUBJECT:  Report  on  DoD  Oversight  of  Contractor  Purchasing  Systems 
(Report  No.  D-2003 -6-001) 


We  are  providing  this  report  for  review  and  comment.  We  considered 
management  comments  on  a  draft  of  this  report  in  preparing  the  final  report.  , 


Directive  7650.3  requires  that  all  recommendations  be  resolved  promptly.  The 
Defense  Contract  Management  Agency  comments  were  partially  responsive.  We  request 
additional  comments  on  Recommendation  A.  by  December  12,  2002.  The  final 
comments  should  include  an  agenda  for  coordination  with  the  Defense  Contract  Audit 
Agency  and  an  action  plan  for  revising  the  Directive  1. 


If  possible,  please  provide  management  comments  in  electronic  format  (Adobe 
Acrobat  file  only).  Copies  of  the  management  comments  must  contain  the  actual 
signature  of  the  authorizing  official.  We  cannot  accept  the  /Signed/  symbol  in  place  of 
the  actual  signature. 


We  appreciate  the  courtesies  extended  to  the  staff.  For  additional  information  on 
this  report,  please  contact  Mr.  Wayne  C.  Berry  at  (703)  604-8789  (DSN  664-8789)  or 
Ms.  Madelaine  E.  Fusfield  at  (703)  604-8739  (DSN  664-8739).  See  Appendix  C  for  the 
report  distribution.  Team  members  are  listed  inside  the  back  cover. 


Patricia  A.  tfranmn 
Deputy' Assistant  Inspector  General  for 
Audit  Policy  and  Oversight 


Office  of  the  Inspector  General  of  the  Department  of  Defense 


Report  No.  D-2003-6-001 

(Project  No.  D20010A-0106) 


November  6,  2002 


DoD  Oversight  of  Contractor  Purchasing  Systems 


Executive  Summary 


Who  Should  Read  This  Report  and  Why?  This  report  should  be  read  by  DoD 
purchasing  system  analysts  and  auditors  who  review  contractor  purchasing  systems  and 
administrative  contracting  officers  (ACOs)  who  determine  the  need  for  the  reviews, 
receive  the  resulting  reports,  and  approve  the  purchasing  systems.  The  report  explains 
how  analysts  and  auditors  can  improve  planning  and  review  coverage,  while  avoiding 
duplicative  or  overlapping  reviews. 

Background.  The  report  discusses  the  planning,  coordination,  and  perfonnance  of  DoD 
reviews  and  audits  of  contractor  purchasing  systems  by  Defense  Contract  Management 
Agency  (DCMA)  procurement  analysts  and  Defense  Contract  Audit  Agency  (DCAA) 
auditors.  A  contractor  purchasing  system  is  the  process  and  procedures  by  which  a 
contractor  obtains  subcontracts  and  purchases  other  material.  The  ACO  must  consider 
the  need  for  a  review  of  the  purchasing  system  if  a  contractor’s  negotiated  sales  to  the 
Government  are  expected  to  exceed  $25  million  during  the  next  12  months.  The  review 
results  are  used  to  support  the  approval  of  a  contractor’s  purchasing  system,  which  is 
crucial  for  mitigating  the  risks  associated  with  contracts  awarded  non-competitively  or 
subcontract  costs  passed  to  the  Government. 

Results.  Although  the  purchasing  system  reviews  were  generally  adequate  for  the 
13  reviews  and  12  audits  done  by  DCMA  and  DCAA,  respectively,  improvements  were 
needed  in  planning,  coordination,  and  documentation.  The  DCMA  and  DCAA  review 
the  same  contractor  purchasing  system.  Therefore,  DCMA  and  DCAA  should  jointly 
reengineer  their  processes  to  more  effectively  meet  the  needs  of  both  organizations,  avoid 
duplication,  and  effectively  leverage  the  resources  of  both  organizations.  Excellent 
examples  of  effective  planning  and  coordination  between  DCMA  and  DCAA  were 
demonstrated  at  three  contractor  facilities  (see  Finding  A).  In  addition,  although  DCMA 
reviews  were  adequate,  the  risk  assessment  that  they  used  needed  improvement  (see 
Finding  B). 

Management  Comments  and  Evaluation  Response.  The  Executive  Director,  Contract 
Management  Operations,  DCMA  agreed  with  the  recommendations.  However,  in 
response  to  the  recommendation  to  jointly,  with  DCAA,  reengineer  the  planning  process 
for  the  system  revisions,  he  proposed  reemphasizing  the  same  procedures  that  have  not 
worked  in  the  past.  To  reengineer  the  CPSR  process,  DCMA  needs  to  work  with  DCAA 
to  develop  new  policies  and  procedures  to  accommodate  the  needs  of  both  organizations 


and  address  the  deficiencies  raised  in  this  report.  A  final  response  should  include  an 
agenda  for  working  with  the  DCAA  and  an  action  plan  for  revising  the  DCMA 
Directive  1  Contract  Management  “One  Book.”  We  request  that  the  Director,  DCMA 
provide  additional  comments  by  December  12,  2002. 

The  Assistant  Director,  Policy  and  Plans,  DCAA  concurred  in  principle  and  will  work 
with  DCMA  to  re-evaluate  its  planning  and  coordination  processes  for  conducting  audits 
of  contractor  purchasing  systems.  By  January  31,  2003,  DCAA  will  issue  a 
Memorandum  for  Regional  Directors,  after  coordination  with  DCMA,  to  provide  audit 
guidance  to  field  auditors  on  the  enhanced  coordination  and  planning  process. 
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Background 


Contractor  management  is  responsible  for  establishing  and  maintaining  adequate 
internal  controls.  A  good  system  of  internal  controls  provides  reasonable 
assurance  that  assets  are  safeguarded  against  losses,  that  transactions  are  executed 
with  management  authorization  and  properly  recorded,  and  that  applicable  laws 
and  regulations  are  met.  A  contractor’s  purchasing  system  should  encompass 
adequate  internal  controls  over  purchasing  transactions. 

Contractor  Purchasing  System.  A  contractor’s  purchasing  system  is  the 
processes  and  procedures  by  which  a  contractor  obtains  subcontracts  and 
purchases  other  materials.  These  processes  include  make  or  buy  decisions,  the 
selection  of  vendors,  analysis  of  quoted  prices,  negotiation  of  prices  with  vendors, 
the  placing  and  administration  of  orders,  and  expediting  delivery  of  materials. 

The  Government  is  at  risk  when  prime  contracts  are  awarded  noncompetitively  or 
when  the  contract  with  the  Government  allows  the  contractor  to  pass  ah 
subcontract  costs  on  to  the  Government.  The  Consent  to  Subcontract/Contractor 
Purchasing  System  Review  process  provides  the  most  effective  and  efficient 
means  to  deal  with  these  risks. 

Consent  to  Subcontract.  In  certain  circumstances,  the  contract  may 
include  a  Consent  to  Subcontract  clause,  which  requires  the  contractor  to  obtain 
Administrative  Contracting  Officer  (ACO)  approval  of  the  subcontract  when  the 
contractor  itself  does  not  have  an  approved  purchasing  system.  An  effective 
purchasing  system,  approved  by  the  ACO,  can  substantially  reduce  the  number  of 
subcontracts  that  must  first  be  approved  by  the  ACO. 

Contractor  Purchasing  System  Reviews.  A  Contractor  Purchasing 
System  Review  (CPSR)  assists  a  contracting  officer  in  determining  whether  to 
approve  a  contractor’s  purchasing  system.  An  approved  system  allows  the 
contracting  officer  to  waive  subcontract  advance  notifications  or  consent  to 
subcontract  actions.  The  CPSR  also  provides  early  cost  accounting  standard 
information  on  which  to  base  source  selection  decisions  and  profit/fee  negotiation 
positions. 

Federal  Acquisition  Regulation  (FAR)  Subpart  44.201,  Consent  and  Advance 
Notification  Requirements,  specifies  that  unless  a  contractor  has  an  approved 
purchasing  system,  contracting  officer  consent  to  subcontract  is  required  for 
certain  contracts.  The  FAR  specifies  that  the  ACO  shah  determine  the  need  for  a 
CPSR  based  on,  but  not  limited  to,  the  past  performance  of  the  contractor  and  the 
volume,  complexity,  and  dollar  value  of  subcontracts.  The  need  for  a  CPSR  must 
be  considered  if  a  contractor’s  negotiated  sales  to  the  Government  are  expected  to 
exceed  $25  million  during  the  next  12  months. 

Performance  of  the  Reviews.  The  Defense  Federal  Acquisition 
Regulation  (DFARS)  Subpart  244.3,  CPSRs,  specifies  that  the  ACO  is 
responsible  for  reviewing  contractor  purchasing  systems.  Therefore,  members  of 
other  organizations,  such  as  audit  or  program  management  activities,  should  not 
conduct  separate  reviews  of  a  contractor’s  purchasing  system  but  may  participate 
in  a  review  conducted  for  the  ACO  by  Purchasing  System  Analysts  (PSAs). 
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During  FYs  1998  through  2000,  the  Defense  Contract  Management  Agency 
(DCMA)  completed  445  CPSRs,  or  an  average  of  148  reviews  per  year.  At  the 
time  of  our  evaluation,  the  DCMA  had  a  CPSR  staff  of  32  compared  to  personnel 
strength  of  42  in  1999  and  102  in  1994.  The  staff  size  represents  a  69  percent 
decline  since  1994.  As  a  result  of  declining  resources,  DCMA  guidance 
emphasizes  risk  assessments  to  plan  and  conduct  reviews  for  maximum 
efficiencies. 

Defense  Contract  Audit  Agency  Audits  of  Internal  Controls.  The  Defense 
Contract  Audit  Agency  (DCAA)  audits  contractor  internal  controls  to  detennine 
whether  the  controls  are  adequate  to  permit  the  preparation  of  Government  cost 
representations  in  accordance  with  generally  accepted  accounting  principles  and 
applicable  laws  and  regulations.  A  contractor’s  internal  controls  consist  of  live 
interrelated  components:  control  environment;  risk  assessments;  control  activities; 
information  and  communication;  and  monitoring.  DCAA  also  uses  the  results  of 
their  audits  of  internal  controls  to  plan  other  necessary  audits  at  contractor 
facilities. 

To  avoid  audit  duplication  or  overlap  with  CPSRs,  DCAA  guidance  requires  the 
auditor  to  notify  the  ACO  prior  to  initiating  an  audit  of  purchasing  system 
controls  and  to  coordinate  with  the  CPSR  team.  The  DCAA  performed  498 
purchasing  system  audits  in  FYs  1998  through  2001  or  about  125  audits  per  year. 
The  DCAA  audit  program,  summarized  in  Appendix  B,  Comparison  of  Review 
Coverage,  incorporates  procedures  for  reviewing  the  adequacy  of  those 
components  of  internal  controls. 


Objectives 


The  objective  was  to  evaluate  the  overall  adequacy  of  CPSRs  performed  jointly 
by  the  DCAA  and  the  DCMA.  The  review  included  an  evaluation  of  the  use  of 
audit  support  services  and  the  overall  quality  and  extent  of  audit  services  the 
DCAA  provides  to  the  DCMA.  In  addition,  we  assessed  the  adequacy  of  the 
management  control  programs  at  DCAA  and  DCMA  field  offices  relative  to  the 
overall  objective  (see  Appendix  A). 
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A.  Planning  and  Coordination  of  Reviews 

Based  on  our  evaluation  of  13  DCMA  reviews  and  12  DCAA  audits, 
planning  and  coordination  of  reviews  of  contractor  purchasing  systems, 
including  the  sharing  of  annual  plans  and  review  guides,  and  the  use  of 
audit  services,  needed  improvement.  Although  the  DCMA  CPSRs  and 
DCAA  audits  of  purchasing  system  internal  controls  have  different 
objectives,  the  reviews  to  a  large  extent  covered  the  same  areas.  However, 
the  agencies  did  not  share  annual  plans,  and  the  DCMA  guidance  did  not 
stress  the  importance  of  auditor  participation  in  joint  reviews  to  avoid 
duplication.  The  DCMA  requested  only  limited  audit  support  from 
DCAA  at  locations  where  DCAA  audited  significant  contractor  dollars. 
Further,  of  1 1  DCAA  audits  that  required  coordination  with  the  ACO  or 
the  CPSR  team,  6  did  not  include  adequate  information  to  explain  the 
extent  of  coordination  attempts.  The  DCAA  standard  audit  program 
emphasizes  the  need  to  coordinate  with  the  ACO  in  an  introductory  note 
that  does  not  instruct  the  auditor  to  document  all  coordination  efforts.  The 
conditions  occurred  because  DCMA  and  DCAA  do  not  have  joint 
planning  processes.  Excellent  examples  of  effective  planning  and 
coordination  were  demonstrated  at  three  contractor  facilities.  Inadequate 
coordination  may  result  in  overlapping  reviews  and  inefficient  use  of 
resources. 


Comparison  of  Review  Objectives 


The  DCMA  and  DCAA  have  different  objectives  when  reviewing  a  contractor’s 
purchasing  system.  However,  to  accomplish  the  objectives,  the  two  agencies  need 
access  to  the  same  contractor  infonnation. 

Defense  Contract  Management  Agency.  A  CPSR  performed  by  the  DCMA 
provides  the  ACO  the  basis  for  granting,  withholding,  or  withdrawing  approval  of 
a  contractor's  purchasing  system.  According  to  the  DCMA  One  Book, 

Chapter  7.4,  “Consent  to  Subcontract/CPSR,”  the  primary  objective  of  the 
Consent  to  Subcontract/CPSR  process  is  to  improve  the  effectiveness  and 
efficiency  of  contractors’  purchasing  systems.  A  second  objective  is  to  reduce  the 
risk  to  the  Government  when  prime  contracts  are  awarded  noncompetitively  or 
when  the  prime  contract  allows  the  prime  contractor  to  pass  all  subcontract  costs 
on  to  the  Government. 

Defense  Contract  Audit  Agency.  The  DCAA  audits  of  purchasing  system 
internal  controls  are  designed  to  meet  the  audit  requirements  outlined  in  the 
Contract  Audit  Manual  (CAM)  Chapter  5-600,  “Audit  of  Purchasing  System 
Internal  Controls,”  that  implement  Generally  Accepted  Government  Auditing 
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Standards  (GAGAS).  The  fieldwork  standard  for  financial  audits  on  internal 
controls,  GAGAS  4.21,  states  that  auditors  should  obtain  a  sufficient 
understanding  of  internal  controls  to  plan  the  audit  and  detennine  the  nature, 
timing,  and  extent  of  tests  to  be  performed. 

The  DCAA  is  concerned  with  assessing  the  adequacy  of  internal  controls  at  major 
contractor*  locations  but  considers  the  materiality  of  transactions  processed 
through  a  system  when  determining  the  need  for  an  audit  of  that  system.  The 
CAM,  Chapter  3-305,  “Preparation  of  the  Internal  Control  Audit  Planning 
Summary,”  instructs  the  auditor  to  assess  the  adequacy  of  internal  controls  for 
those  contractor  accounting  and  management  systems  that  may  have  a  significant 
impact  on  the  pricing,  administration,  or  settlement  of  Government  contracts.  A 
contractor’s  purchasing  system  is  1  of  10  accounting  and  management  systems  to 
which  the  audit  guidance  applies.  The  auditor  should  consider  performing  a 
purchasing  system  internal  control  review  if  the  transactions  processed  through 
the  system  are  material  in  relation  to  the  magnitude  of  the  contractor’s  total 
operations. 

Not  only  does  the  audit  of  the  internal  controls  tell  management  whether  the 
controls  are  working  as  planned,  but  the  auditor  uses  the  results  of  internal  control 
reviews  when  planning  all  other  audits,  for  example  incurred  costs,  forward 
pricing,  and  defective  pricing  at  major  contractor  locations. 


Comparison  of  Review  Coverage 


The  DCMA  One  Book,  Chapter  7.4,  Attachment  3,  of  the  CPSR  Guidebook, 
explains  that  a  CPSR  should  cover  a  review  of  policies,  procedures,  and  fonns;  a 
review  of  a  random  sample  of  purchase  orders  and  subcontracts;  a  compilation 
and  analysis  of  statistics;  interviews  with  contractor  personnel;  and  input  from 
technical  specialists,  including  auditors.  Although  the  DMCA  One  Book  outlines 
the  areas  for  review  of  a  contractor’s  purchasing  system,  the  guidance  does  not 
include  detailed  instructions  for  the  review,  or  a  review  guide. 

Scope  of  Work  in  a  CPSR.  The  13  reviews  we  evaluated  in  the  3  DCMA  offices 
covered  all  areas  described  in  the  CPSR  Guidebook.  The  extent  of  review 
coverage  was  based  on  CPSR  report  contents  and  discussions  with  the  eight 
analysts  that  performed  the  reviews.  When  reviewing  a  sample  of  purchase 
orders,  the  CPSR  team  completed  the  following  procedures: 

•  Reviewed  purchase  order  files  for  required  certifications  and 
documentation; 

•  Compiled  data  from  review  of  purchase  order  files  using  the  CPSR 
software  program  or  spreadsheets;  and, 

•  Analyzed  the  compiled  statistical  data  for  trends  and  indicators. 


*  For  DCAA  planning  purposes,  a  major  contractor  is  a  contractor  with  $80  million  or  more  in 
costs  subject  to  audit  in  a  single  fiscal  year. 
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The  team  also  interviewed  contractor  management  personnel  to  cover  specific 
areas  not  covered  by  the  purchase  order  file  review  and  gathered  infonnation  from 
DCAA  auditors  and  Government  specialists  in  engineering,  property, 
transportation,  and  other  areas. 

Although  the  CPSR  Guidebook  did  not  contain  explicit  instructions  for 
completing  the  reviews,  all  the  PSAs  (Purchasing  System  Analysts)  used  similar 
review  procedures.  Each  PSA  had  16  years  or  more  experience.  One  analyst 
demonstrated  that  the  actual  scope  of  review  performed  closely  compared  to  the 
instructions  in  the  1991  edition  of  the  Defense  Federal  Acquisition  Regulation 
Supplement  (DFARS),  Appendix  C.  We  compared  the  1991  DFARS  guidance  to 
the  CPSR  Guidebook  and  concluded  that  the  specific  procedures  outlined  in  the 
DFARS  provides  better  instructions  than  the  CPSR  Guidebook  and  may  be  used 
to  tailor  a  CPSR  review  program.  A  CPSR  review  program  is  essential  to  identify 
the  areas  and  review  procedures  that  should  be  coordinated  with  auditors.  The 
detailed  instructions  and  procedures  outlined  in  a  review  program  should  also 
serve  as  an  instructional  tool  to  benefit  new  employees.  The  need  to  plan  for  new 
hires  is  identified  as  one  of  the  initiatives  in  the  President’s  Management  Agenda 
for  FY  2002,  which  addresses  the  problem  that  may  be  caused  by  large-scale 
retirements  of  eligible  employees  within  a  few  years.  The  knowledge  and 
expertise  of  current  employees  must,  therefore,  be  conveyed  to  new  employees 
through  clear  instructions  or  training  tools. 

Similarity  of  DCMA  and  DCAA  Procedures.  We  compared  the  audit  areas 
covered  in  the  DCAA  standard  audit  program  with  the  CPSR  scope  of  review  and 
determined  that  six  of  the  eight  main  sections  in  the  DCAA  audit  program 
potentially  overlap  with  the  CPSR  coverage.  Appendix  B,  “Comparison  of 
DCAA  and  DCMA  Review  Procedures,”  shows  the  areas  that  overlap. 


Current  Planning  and  Coordination 


DCAA  and  DCMA  currently  have  separate  planning  processes  but  are  supposed 
to  coordinate  their  work  efforts. 

DCMA  Planning.  The  DCMA  One  Book  requires  the  CPSR  team  to  develop  a 
master  schedule  of  CPSRs  to  be  conducted  during  the  next  12  months  and  provide 
copies  to  the  district  CPSR  focal  point,  DCAA,  Headquarters  NASA,  the 
cognizant  ACOs  and,  when  warranted,  the  Procurement  Contracting  Officers. 

The  reviews  to  be  scheduled  are  detennined  based  on  risk  assessments 
(see  finding  B). 

Coordination  of  Annual  Plans.  Two  of  the  three  DCMA  offices  visited 
sent  an  annual  schedule  of  CPSRs  to  the  cognizant  audit  offices.  The  third  office 
established  a  master  schedule  on  a  local  shared  network  for  the  use  of  ACOs  but 
did  not  provide  the  information  to  the  affected  DCAA  field  audit  offices.  The 
DCAA  manager  of  one  audit  office  cognizant  of  several  major  contractors  stated 
that  an  annual  schedule  of  planned  CPSRs  would  be  very  useful  for  developing 
the  DCAA  audit  plans.  However,  he  had  never  received  an  annual  CPSR 
schedule. 
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Requesting  Audit  Services.  The  planning  and  coordination  of  the 
DCMA  reviews  should  include  considerations  of  when  and  how  to  use  DCAA 
audit  assistance.  The  CPSR  Guidebook,  instructs  the  CPSR  team  chief  on  the  role 
of  the  DCAA  auditor  when  participating  on  CPSR  teams.  Accordingly,  DCAA 
should  be  assigned  three  specific  topics:  material  estimating,  prompt  payment 
discounts,  and  interdivisional  transfers.  Audit  coverage  of  prompt  payment 
discounts  is  incorporated  into  the  standard  audit  program  for  purchasing  system 
internal  controls.  DCAA  reviews  material  estimating  as  part  of  an  audit  of  the 
internal  controls  of  the  contractor’s  material  estimating  system.  Contractor 
procedures  for  interdivisional  transfers  may  be  tested  during  incurred  cost  audits 
or  price  proposal  reviews.  Therefore,  DCMA  requests  of  DCAA  cover  only  a 
part  of  what  DCAA  is  required  to  address  in  a  purchasing  system  internal  control 
audit.  The  team  supervisor  should  also  conduct  a  pre-review  meeting  with 
Government  personnel,  including  DCAA,  on  the  first  day  of  the  on-site  field  visit. 
Government  personnel  should  be  invited  to  share  with  the  team  any  purchasing 
system-related  reviews  and  audits  that  may  have  been  conducted  during  the 
previous  12  months,  which  may  enable  the  team  to  forgo  duplicative  effort. 

The  audit  support  appeared  adequate  for  the  requested  audits.  However,  three  of 
the  seven  audits  concerned  major  contractors,  where  DCAA  is  required  to 
complete  audits  of  purchasing  system  internal  controls  to  meet  GAGAS. 
Therefore,  the  DCMA  could  have  requested  audit  coverage  of  more  than  three 
areas.  At  those  locations,  the  DCMA  requests  for  audit  support  should  have  been 
based  on  joint  planning  with  DCAA. 

Coordination  to  Determine  the  Scope  of  Review.  DCMA  did  not 
meet  or  coordinate  with  DCAA  prior  to  issuing  requests  for  audit.  Where 
meetings  took  place,  they  were  held  the  first  day  of  the  DCMA  field  visit,  per 
DCMA  One  Book  guidance.  The  following  are  examples  of  inadequate  or  no 
coordination: 

•  The  CPSR  team  performed  a  review  at  the  Northrop  Grumman 
Corporation  without  notifying  the  resident  audit  office  or  inviting  an 
auditor  to  be  part  of  the  review  team.  The  DCAA  auditors  learned 
several  months  later  that  the  CPSR  team  had  completed  a  review  and 
had  to  conduct  a  separate  audit  to  address  additional  audit  areas. 

•  At  one  DCMA  field  office,  the  Chief  of  the  Corporate  Support  Team 
had  prepared  a  standard  letter  to  respond  to  DCAA  notices  of  planned 
audits  of  purchasing  system  internal  controls  or  requests  for 
information.  The  letter  reiterated  the  DFARS  244.301  guidance  that 
members  of  other  organizations  such  as  audit  or  program  management 
activities  should  not  conduct  separate  reviews  but  may  participate  in  a 
future  review  to  be  conducted  for  the  ACO  by  the  CPSR  team.  The 
standard  letter  was  sent  without  consideration  of  why  the  information 
request  was  made.  For  example,  in  one  case,  a  DCAA  field  audit 
office  inquired  from  the  cognizant  DCMA  field  office  whether  a  CPSR 
was  planned  in  the  near  future  and  explained  the  reasons  why  an  audit 
of  the  contractor’s  purchasing  system  internal  controls  was  considered. 
The  DCMA  responded  with  the  standard  letter,  which  did  not  ask 
DCAA  to  explain  or  justify  the  need  for  an  audit  at  an  earlier  time. 
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•  At  another  DCMA  office,  five  CPSR  team  complaints  concerned 
perceived  DCAA  initiations  of  reviews  that  appeared  to  duplicate 
CPSRs  and  resulted  in  findings  that,  occasionally,  were  contrary  to  the 
DCMA  findings.  The  five  complaints  were  unsupported  and  were  the 
direct  result  of  inadequate  communication  and  coordination  between 
the  two  agencies. 

DCAA  Planning  and  Coordination  Requirements.  If  no  CPSR  is  scheduled, 
the  CAM,  Chapter  5-603,  “General  Audit  Policy,”  requires  the  auditor  to  perfonn 
a  purchasing  system  review  at  a  major  contractor  location  within  the  normal  cycle 
(2  to  4  years)  for  accounting  and  management  systems  audits.  The  CAM  also 
requires  the  auditor  to  coordinate  with  the  ACO  before  initiating  a  review  of  the 
contractor’s  purchasing  system.  Eleven  of  the  12  audits  evaluated  at  6  DCAA 
field  audit  offices  required  coordination  with  the  ACO  or  CPSR  team.  Six  of  the 
1 1  audits  did  not  fully  document  the  extent  of  coordination  or  any  failed  attempts. 
The  other  five  audits  contained  sufficient  infonnation  to  support  DCAA 
coordination  efforts  with  the  ACO  or  CPSR  team. 

The  CAM  audit  guidance  conflicts  with  instructions  in  the  DCAA  Audit  Program 
for  Purchasing  Controls.  The  CAM,  Chapter  5-603,  “General  Audit  Policy,” 
advises  that  if  no  CPSR  is  scheduled  within  the  DCAA  nonnal  cycle  for  systems 
audits  (2  to  4  years),  the  auditor  should  perform  a  purchasing  system  internal 
control  review  in  accordance  with  CAM  guidance.  However,  the  audit  program 
states  that  if  no  CPSR  review  is  scheduled  in  a  reasonable  time,  and  the  auditor 
feels  the  Government  is  at  risk,  the  concerns  should  be  elevated  to  the  regional 
offices  prior  to  any  audit  effort. 

Although  DCMA  had  not  scheduled  a  review,  a  supervisor  at  one  of  the  six  field 
offices  had  followed  the  CAM  instructions  and  proceeded  with  a  planned  audit 
without  contacting  the  regional  office.  To  avoid  confusion,  the  CAM  guidance 
should  be  amended  to  conform  to  the  instructions  in  the  audit  program. 

Differences  in  DCMA  and  DCAA  Planning  and  Coordination  Guidance.  The 

DCMA  and  DCAA  guidelines  on  coordination  of  purchasing  system  review 
activities  differed.  The  CPSR  Guidebook  explains  that  CPSR  teams  may  reduce 
DCAA  on-site  audits  by  sharing  CPSR  work  papers  with  auditors  planning  to 
conduct  internal  control  system  audits.  However,  the  guidance  does  not  stress  the 
importance  of  auditor  participation  in  a  joint  review  to  address  audit  concerns  and 
avoid  duplication,  nor  does  it  explain  the  kind  of  work  papers  that  the  auditor 
would  need  to  reduce  on-site  audits.  The  emphasis  is  different  in  the  DCAA 
CAM,  Chapter  5-1302.3,  “Auditor  Participation  on  CPSR  Teams.”  CAM  stresses 
that  the  auditor  and  the  PSA  have  related  responsibilities;  therefore,  it  is 
imperative  that  they  coordinate  and  correlate  their  activities. 

Examples  of  Successful  Coordination.  Excellent  examples  of  successful 
coordination  between  DCMA  and  DCAA  existed  at  three  contractor  locations.  At 
two  of  the  locations,  Lockheed  Martin  Space  Systems,  Mississippi,  and  General 
Dynamics  Advanced  Technology  Systems,  North  Carolina,  the  auditor  and  the 
PSA  used  the  DCAA  audit  program  to  divide  the  work  to  be  performed  with 
excellent  results.  The  DCAA  standard  audit  program  covers  all  areas  addressed 
by  the  CPSR  team  as  well  as  electronic  data  processing  not  reviewed  as  part  of  a 
CPSR.  The  joint  use  of  the  same  program  ensured  that  duplication  did  not  occur 


7 


while  the  auditor  and  the  PSA  could  each  accomplish  their  review  objectives.  At 
Lockheed  Martin  Federal  Systems,  Virginia,  a  team  composed  of  the  PSA,  DCAA 
auditor,  and  contractor  internal  auditors  compared  purchasing  system  review 
procedures  to  avoid  duplication,  using  the  DCAA  audit  program  as  a  baseline. 

The  team  examined  42  review  elements  and  detennined  that  30  elements 
contained  overlapping  procedures  for  review  of  contractor  policies  and 
procedures,  purchase  order  and  subcontract  clauses,  and  management  of 
purchasing.  According  to  the  DCMA  team  participant,  the  extensive  pre-planning 
effort  benefited  only  the  review  performed  at  Lockheed  Martin  Federal  Systems, 
and  lessons  learned  were  not  incorporated  into  the  DCMA  guidance.  Further,  in 
each  of  the  three  cases,  either  the  ACO,  the  auditor,  or  the  contractor  had 
coordinated  the  effort.  Improved  DCMA  and  DCAA  guidance  should  aid  the 
CPSR  team  leader  in  initiating  similar  cooperation. 


Summary 


The  DCMA  CPSRs  and  the  DCAA  audits  of  purchasing  system  internal  controls 
are  two  reviews  of  the  same  processes.  Each  is  for  equally  important  but  different 
purposes.  Joint  annual  (or  other  cycle)  planning  for  the  reviews  with  coordinated 
implementation  of  the  plans  would  provide  more  efficient  and  effective  use  of 
DCMA  and  DCAA  resources.  In  the  past  decade,  DoD  has  reduced  the 
acquisition  work  force  by  about  50  percent.  The  DCMA  CPSR  staff  has  been 
reduced  by  69  percent,  whereas  the  DCAA  staff  reduction  since  1990  is  about 
44  percent.  Because  of  the  reduction  in  the  number  of  DCMA  and  DCAA  staff  to 
perform  the  CPSRs  in  recent  years,  joint  planning  becomes  critical  to  effectively 
use  the  organizations’  resources.  DCMA  and  DCAA  should  together  review  their 
processes  to  detennine  how  best  to  plan,  coordinate,  and  accomplish  their 
reviews. 

A  DCMA  and  DCAA  joint  process  for  planning  and  coordinating  performance  of 
purchasing  system  reviews  should  correct  problems  identified  in  this  report: 

•  Inconsistent  dissemination  of  DCMA  review  schedules  to  DCAA; 

•  Requests  for  audit  services  not  tailored  to  the  DCAA  audit 
environment  where  internal  control  systems  audits  must  be  performed; 

•  Insufficient  CPSR  Guidebook  explanations  of  auditor  need  to 
participate  in  a  CPSR  to  obtain  purchasing  system  information  and 
plan  related  audits; 

•  Inconsistent  DCAA  guidance  for  coordination  with  ACOs  and  the 
CPSR  team;  and, 

•  Inadequate  support  for  DCAA  reliance  on  the  work  of  others 
(finding  B). 

Further,  a  jointly  developed  DCMA/DCAA  review  program  could  facilitate 
coordination  of  review  coverage  and  avoid  duplication  and  overlap  during  CPSRs 
and  audits  of  purchasing  system  internal  controls.  A  jointly  perfonned  review 
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could  also  expand  the  review  coverage.  The  DCAA  audit  program  includes 
procedures  that  do  not  overlap  or  duplicate  DCMA  reviews.  The  audit  program 
requires  the  auditor  to  develop  a  sufficient  understanding  of  the  contractor’s 
electronic  information  and  communication  processes  to  identify  significant 
classes  of  transactions  and  how  they  are  processed,  controlled,  and  reported. 
Auditors  also  perfonn  transactional  testing  using  statistical  sampling  methods. 
The  insights  gained  from  audit  tests  of  the  electronic  data  processing  system 
should  make  the  CPSR  more  useful  to  ACOs. 


Management  Comments  on  the  Finding  and  Evaluation 
Response 


DCMA  Comments  on  Audit  Participation  in  a  Review.  The  Executive 
Director,  Contract  Management  Operations,  concurred  with  the  finding  and  stated 
that  the  DCMA  Directive  1  (the  One  Book),  Chapter  7.4,  Contractor  Purchasing 
System  Review,  contains  guidance  on  audit  participation,  but  said  that  the 
guidance  was  adequate. 

Evaluation  Response.  We  disagree  that  existing  guidance  is  adequate.  Although 
the  guidance  encourages  a  coordinated  team  approach  to  promote  the  sharing  of 
data  and  reduction  of  duplicate  effort,  effective  teamwork  did  not  occur.  The 
guidance  does  not  explain  that  coordination  with  DCAA  is  necessary  to  avoid 
duplicative  reviews  and  address  the  concerns  of  both  organizations.  Also,  sharing 
annual  schedules  after  the  fact,  does  not  ensure  the  most  efficient  use  of 
resources.  A  joint  planning  process  would  be  more  efficient. 


Recommendations,  Management  Comments,  and  Evaluation 
Response 

A.  We  recommend  that  the  Director,  Defense  Contract  Management  Agency 
and  the  Director,  Defense  Contract  Audit  Agency  jointly  reengineer  their 
processes  and  procedures  for  performing  reviews  and  audits  of  contractor 
purchasing  systems  to  establish  joint  planning  and  coordination  processes 
that  will  more  effectively  meet  the  needs  of  both  organizations,  avoid 
duplication,  and  effectively  leverage  the  resources  of  both  organizations.  The 
review  processes  and  procedures  should  address  the  specific  deficiencies 
identified  in  this  report. 

DCMA  Comments.  The  Executive  Director,  Contract  Management  Operations, 
DCMA  concurred  and  stated  that  Directive  1,  Chapter  7.4,  and  the  DCAA  CAM 
provide  sufficient  procedures  for  planning  and  coordination  of  reviews.  DCMA 
will  issue  an  Infonnation  Memorandum  to  re-emphasize  the  need  for  such 
coordination  when  performing  a  CPSR. 

Evaluation  Response.  Although  the  Executive  Director  concurred,  the 
comments  are  not  responsive.  Issuing  an  Information  Memorandum  to  emphasize 
existing  guidance  is  not  sufficient.  We  recommended  that  the  Director,  DCMA, 
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and  the  Director,  DCAA,  jointly  reengineer  their  processes  and  procedures  for 
performing  reviews  and  audits  of  contractor  purchasing  systems.  We  included  a 
statement  that  the  specific  deficiencies  identified  in  the  report  should  be 
addressed.  The  intent  of  the  recommendation  will  therefore  be  implemented  if  the 
DCMA  Directive  1  is  amended  to  fully  address  auditor  participation  in  a  CPSR. 

A  final  response  should  include  an  agenda  for  coordination  with  the  DCAA  and 
an  action  plan  for  revising  the  Directive. 

DCAA  Comments.  The  Assistant  Director,  Policy  and  Planning,  DCAA 
concurred  and  will  coordinate  with  DCMA  to  re-evaluate  its  planning  and 
coordination  processes  for  conducting  audits  of  contractor  purchasing  systems 
and  related  internal  controls  to  ensure  the  processes  will  facilitate  sufficient  audit 
coverage  and  avoid  duplication.  By  January  31,  2003,  DCAA  will  issue  a 
Memorandum  for  Regional  Directors,  after  coordination  with  DCMA,  to  provide 
audit  guidance  to  field  auditors  on  the  enhanced  coordination  and  planning 
process.  The  guidance  will  include  a  reminder  for  auditors  to  coordinate  with 
DCMA  when  initiating  a  purchasing  system  review  and  a  requirement  for  auditors 
to  document  the  results  of  this  coordination  in  the  working  papers.  In  April  2003, 
DCAA  will  also  make  any  necessary  revisions  to  the  standard  audit  program, 
Reviewing  and  Reporting  on  Contractor  Purchasing  System  and  Related  Internal 
Controls.  Necessary  revisions  to  the  guidance  contained  in  the  Contract  Audit 
Manual  will  be  made  for  the  July  2003  update. 

Evaluation  Response.  The  Assistant  Director’s  proposed  action  plan  is 
acceptable.  We  believe  that  DCMA  and  DCAA,  working  together,  can  develop 
the  most  effective  processes  for  both  organizations. 
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B.  Performance  of  Reviews 

Although  the  DCMA  PSAs  adequately  covered  prescribed  review  areas 
and  supported  reported  findings,  risk  assessments  and  the  documentation 
of  work  perfonned  during  the  reviews  could  be  improved.  The  conditions 
occurred  because  the  DCMA  One  Book  guidance  was  inadequate.  In 
addition,  auditors  relied  on  work  performed  by  the  CPSR  teams  without 
sufficient  justifications,  which  was  not  in  compliance  with  GAGAS  and 
DCAA  audit  guidance. 

As  a  result  of  inconsistent  risk  assessments,  reviews  may  not  be  scheduled 
when  needed  or  unnecessary  reviews  may  be  performed.  Auditor 
noncompliance  with  GAGAS  when  relying  on  work  perfonned  by  others 
lessened  the  usefulness  of  the  audit  report. 


Risk  Assessments 


The  DCMA  One  Book,  Chapter  7.4,  “Consent  to  Subcontract/CPSRs,” 
Attachment  3,  contains  the  CPSR  Guidebook,  which  explains  that  the  ACO,  in 
consultation  with  the  CPSR  Team,  should  manage  the  risk  associated  with 
contractor  purchasing  systems  based  on  two  risk  assessments.  The  initial  risk 
assessment  determines  the  need  for  an  on-site  CPSR.  The  CPSR  Guidebook 
identifies  13  risk  factors  to  be  considered  during  the  initial  assessment  and 
provides  2  sample  formats  to  be  used  in  the  rating  process.  One  format  assigns  a 
numerical  rating  to  the  13  risk  factors  based  on  specific  conditions.  The  other 
format  allows  for  a  narrative  on  each  factor.  When  a  CPSR  is  required,  a  second 
risk  assessment  determines  the  scope  of  the  review.  The  CPSR  Guidebook  does 
not  explain  what  to  consider  in  the  second  risk  assessment. 

DCMA  also  has  a  Risk  Assessment  Management  Program  (RAMP),  which  is  an 
on-line  system  for  assessing  elements  of  a  contractor’s  business  and  financial 
services,  including  the  purchasing  system.  The  guidance  on  the  RAMP  is 
included  in  the  DCMA  One  Book,  Chapter  3.1,  “Supplier  Risk  Management,” 
which  requires  the  operations  team  or  functional  specialist  to  assign  a  risk  rating 
to  significant  elements  of  contractor  financial  and  business  systems,  including  the 
purchasing  system.  The  CPSR  Guidebook  does  not  clarify  how  the  RAMP 
ratings  relate  to  the  initial  assessments  that  identify  contractors  to  be  reviewed  and 
the  second  assessments  that  should  detennine  the  scope  of  the  individual  reviews. 

Performance  of  Risk  Assessments.  Although  the  CPSR  Guidebook  discusses 
the  need  to  perform  initial  and  second  risk  assessments,  DCMA  only  completed 
initial  assessments,  which  were  used  for  dual  purposes.  Thirty-three  initial  risk 
assessments  at  two  of  three  DCMA  offices  visited  were  adequately  documented 
with  explanations  for  the  assigned  risk  ratings.  However,  the  third  location  did 
not  complete  initial  risk  assessments  to  determine  whether  a  CPSR  was  required 
but  scheduled  reviews  for  all  contractors  that  met  the  threshold  on  a  3-year  cycle. 
The  two  offices  that  completed  initial  risk  assessments  used  them  to  schedule 
CPSR  reviews  and  to  plan  the  scope  of  the  reviews  with  the  ACOs.  At  the  third 
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office,  at  least  one  CPSR  should  not  have  been  performed  because  the  contractor 
no  longer  met  the  threshold.  The  analyst  was  half  way  through  the  review  before 
realizing  that. 

One  of  the  two  offices  that  completed  initial  risk  assessments  used  four  different 
methods,  including  the  CPSR  Guidebook  sample  format,  the  RAMP  system,  and 
two  forms  designed  by  the  CPSR  team  chief  to  adjust  for  omissions  or 
inadequacies  in  the  CPSR  Guidebook  and  the  RAMP.  For  one  contractor,  the 
analyst  used  more  than  one  risk  assessment  format  with  conflicting  results. 

Guidance  on  Initial  Assessments.  The  CPSR  Guidebook  instructions  for 
performing  the  initial  risk  assessment  could  be  improved.  The  numerical  rating 
from  1  (low  risk)  to  5  (high  risk)  assigned  to  the  13  risk  factors  shown  in  1  of  the 
2  sample  formats  in  the  CPSR  Guidebook  Appendix  D  should  be  reevaluated. 

For  example,  4  of  the  13  factors  assign  only  a  medium  risk  to  a  new  contractor 
with  no  status  history.  Therefore,  the  calculated  weighted  average  may  yield  a 
medium,  or  lower,  risk  rating  and  indicate  no  immediate  need  for  a  review.  A 
new  contractor  with  no  status  should  be  assigned  a  high  risk  to  ensure  that  a 
CPSR  is  included  in  the  review  plan.  The  second  format  allows  for  a  narrative  to 
be  used  instead  of  a  rating  factor.  However,  the  illustration  shows  only  the  first  3 
of  the  13  risk  factors  to  be  rated  and  does  not  clarify  that  an  assessment  should  be 
made  for  all  13  factors.  As  a  result,  at  least  one  analyst  believed  the  second 
format  only  covered  three  factors  and  was  not  useful. 

Guidance  on  Second  Assessments.  The  instructions  related  to  the  second 
risk  assessment  could  also  be  improved.  The  second  assessment  should  be  used 
to  determine  where  to  concentrate  the  review  effort  and  to  determine  how  much 
transactional  testing  may  be  necessary.  In  a  discussion  of  the  second  risk 
assessment,  the  CPSR  Guidebook  instructs  the  CPSR  specialist  to  identify  key 
processes,  defined  as  those  that  can  adversely  affect  contract  performance,  cost,  or 
schedule.  At  a  minimum,  the  CPSR  Guidebook  requires  an  assessment  of  four 
specific  key  processes  that  are  incorporated  into  the  RAMP  system: 

•  Contractor  vendor  rating; 

•  Contractor  best  value; 

•  Contractor  make/buy;  and, 

•  Contractor  internal  purchasing  system  audits. 

Field  personnel  did  not  agree  that  the  mandatory  four  key  processes  were  the  most 
critical  to  be  covered  in  all  reviews.  Field  personnel  believed  other  processes 
would  yield  more  accurate  and  relevant  risk  infonnation.  One  manager  identified 
the  following  processes  as  more  indicative  of  risk  inherent  in  the  purchasing 
system: 

•  Source  selection  (including  vendor  rating  and  competitive 
procurements); 

•  Contractor  perfonnance  of  price  and  cost  analysis  of  vendors; 
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•  Contractor  compliance  with  public  laws;  and, 

•  Terms  and  conditions  of  the  contract  (for  example,  flow  down  clauses, 
restrictive  language,  and  advance  consent  requirements). 

The  CPSR  Guidebook  should  emphasize  the  difference  between  the  risk  to 
consider  for  planning  the  annual  workload  and  the  risk  to  consider  that  is  inherent 
in  contractor  internal  controls  when  planning  the  CPSR.  Further,  rather  than 
mandate  the  coverage  of  four  specific  key  processes,  the  CPSR  Guidebook  should 
provide  criteria  to  assist  analysts  in  identifying  key  processes  for  risk  assessments 
and  incorporation  into  a  review  plan.  Where  no  knowledge  exists  to  support  a 
low  or  medium  risk  assessment,  the  guidance  should  instruct  analysts  to  assign  a 
high  risk  and  to  adjust  the  risk  factors  based  on  actual  review  results. 


Documentation  of  Review  Procedures 


The  DCMA  One  Book  guidance  includes  only  limited  instructions  for 
documentation  of  review  efforts.  The  DCMA  One  Book,  Chapter  7,  section  4.6.5, 
“Risk  Documentation,”  states  that  the  operations  teams  or  functional  specialists 
must  record  and  maintain  documentation  of  risk  assessments,  risk  handling,  and 
risk  monitoring  results,  as  applicable.  However,  the  guidance  contains  no 
requirements  that  the  reviewers  document  the  methods  and  techniques  used  in  the 
reviews  performed  based  on  the  risk  assessments.  Although  the  DCMA  One 
Book  explains  that  the  CPSR  teams  may  reduce  DCAA  on-site  audits  by  sharing 
CPSR  work  papers,  it  contains  no  instructions  or  descriptions  of  what  type  of 
work  papers  may  be  useful  to  that  end. 

Documentation  to  Support  Findings.  The  13  CPSR  files  did  not  contain 
documentation  of  analytical  procedures,  sampling  methods,  or  infonnation 
regarding  the  criteria  used  to  evaluate  contractor-provided  data  other  than 
purchase  orders.  Some  documentation  existed  to  explain  the  criteria  used  in  the 
review  of  purchase  orders,  which  was  the  only  area  subject  to  transactional 
testing.  However,  the  sampling  methodology  and  trend  analyses  related  to 
purchase  orders  were  not  explained. 

Without  sufficient  documentation  to  describe  methods  and  techniques,  including 
criteria  used  in  the  reviews,  considerable  effort  must  be  expended  to  reconstruct 
and  understand  what  the  analysts  have  covered.  The  success  of  this  effort 
depends  on  the  availability  of  the  analyst  who  has  perfonned  the  review. 

Adequate  documentation  would  ensure  that  the  personal  assistance  of  an  analyst 
is  minimized.  The  existence  of  documentation  would  also  facilitate  on-the-job 
training  of  new  employees. 
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Auditor  Reliance  on  Work  Performed  by  Others 


DCAA  may  avoid  duplicating  review  procedures  by  relying  on  work  performed 
by  others,  in  this  case  the  DCMA  CPSR  team,  and  still  meet  the  audit  objectives. 
GAGAS  6.14  through  6.16  on  “Considering  Others’  Work”  requires  auditors  to 
perform  procedures  that  provide  a  sufficient  basis  for  that  reliance.  Auditors  can 
determine  the  sufficiency,  relevance,  and  competence  of  other  auditors’  evidence 
by  reviewing  their  report,  audit  program,  or  working  papers  or  making 
supplemental  tests  of  their  work,  if  necessary.  Auditors  face  similar 
considerations  when  relying  on  the  work  of  nonauditors.  GAGAS  6.16  requires 
the  auditors  to  obtain  an  understanding  of  the  methods  and  significant 
assumptions  that  nonauditors  used. 

CAM  5-603  specifies  that  it  is  not  the  auditor’s  responsibility  to  review  the 
quality  of  the  CPSR  team’s  work.  However,  the  auditor  must  understand  the 
scope  of  the  work  performed  in  order  to  determine  whether  additional  audit 
procedures  are  necessary  to  satisfy  any  DCAA  concerns. 

DCAA  Auditor  Reliance  on  Work  of  Internal  Auditors  and  Nonauditors.  Of 

the  nine  audits  that  required  coordination  with  DCMA,  six  did  not  document  how 
the  auditor  relied  on  work  performed  by  the  CPSR  team  or  internal  auditors.  The 
auditor  relied  on  both  the  contractor’s  internal  auditors  and  the  CPSR  team  in  one 
of  the  six  audits,  on  contractor  internal  auditors  in  two  audits,  and  on  the  CPSR 
team  in  three  audits.  None  of  the  six  audits  included  sufficient  explanations  to 
support  reliance  on  the  internal  auditors  and  the  CPSR  team.  For  example: 

•  In  one  of  the  audits,  the  auditor  incorporated  CPSR  report  findings  into 
the  DCAA  audit  report,  recording  80  hours  for  audit  program 
procedures  that  were  not  performed  but  merely  referred  to  the  CPSR 
team  with  no  additional  explanations  or  supplemental  tests  to  justify 
reliance. 

•  In  another  example,  the  auditor  included  work  papers  from  the  internal 
audit  but  did  not  document  the  internal  auditor’s  qualifications  and 
independence. 

Although  internal  auditors  may  have  work  papers  that  enable  an  auditor  to 
determine  the  sufficiency,  relevance,  and  competence  of  the  auditor’s  work,  work 
papers  alone  do  not  provide  a  basis  for  reliance.  The  auditor  must  also  show  that 
the  internal  auditors  are  qualified  and  independent. 

The  CPSR  team’s  documentation  may  not  be  sufficient  to  enable  an  auditor  to 
render  an  audit  opinion  on  the  evidence  supporting  the  report.  In  that  case,  the 
auditor  should  attempt  to  understand  the  review  methods  and  techniques  through 
discussions  with  the  PSAs  and,  if  necessary,  perfonn  supplemental  tests  to 
support  audit  reliance  on  the  CPSR  team’s  work. 
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Results  of  Related  Quality  Assurance  Reviews.  The  DCAA  completed  an 
internal  quality  assurance  review  of  internal  control  systems  audits,  including 
audits  of  purchasing  system  internal  controls,  in  FY  2000.  The  internal  review 
disclosed,  among  other  findings,  that  auditors  relied  on  internal  audit  results 
without  adequately  detennining  the  sufficiency/reliability  of  the  internal  auditors 
efforts.  Because  DCAA  took  corrective  actions,  we  are  making  no  further 
recommendations  concerning  auditor  reliance  on  work  performed  by  others. 


Recommendations  and  Management  Comments 


B.l.  We  recommend  that  the  Director,  DCMA  clarify  guidance  on  risk 
assessments.  At  a  minimum,  the  guidance  should: 

a.  Clearly  differentiate  between  risks  to  consider  for  annual  planning 
purposes  and  the  risks  to  consider  when  planning  the  scope  of  a  specific 
review; 


b.  Advise  that  a  high  risk  factor  should  be  assigned  until  adequate 
information  exists  to  support  a  medium  or  low  risk;  and, 

c.  Amend  instructions  to  base  the  identification  of  key  processes  on 
an  understanding  of  the  contractor’s  system  rather  than  four  specific 
requirements. 

Management  Comments.  The  Executive  Director,  Contract  Management 
Operations,  DCMA  concurred  and  plans  to  revise  the  One  Book  to  correct  the 
disconnect  between  risk  planning  and  risk  rating.  The  DCMA  will  also  ensure 
that  the  One  Book  provides  instructions  that  will  allow  the  performance  of  a 
CPSR  for  qualifying  contractors  when  lack  of  infonnation  inhibits  a  risk  rating  to 
be  assigned.  Key  processes  listed  in  the  Directive  1,  Chapter  7.4,  Paragraph 
4.6. 1.3  will  be  revised  to  include  more  appropriate  processes. 

B.2.  We  recommend  that  the  Director,  DCMA  instruct  analysts  to  improve 
documentation  in  files  in  sufficient  detail  to  enable  a  reviewer  to  understand 
the  methods,  techniques,  and  criteria  used  to  support  the  findings  without 
the  personal  assistance  of  the  analyst. 

Management  Comments.  The  Executive  Director,  Contract  Management 
Operations,  DCMA  concurred  and  will  issue  an  Information  Memorandum  to  re¬ 
emphasize  the  need  for  adequate  and  proper  documentation  of  files. 
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Appendix  A.  Scope  and  Methodology 


We  visited  three  DCMA  field  offices  that  performed  risk  assessments  and  CPSRs 
and  seven  DCAA  field  offices  that  provided  support  to  DCMA  on  request  or 
audited  purchasing  system  internal  controls.  An  additional  DCAA  office  not 
visited  provided  information  on  seven  DCMA  requests  for  limited  audit  services. 
We  based  our  review  on  the  FAR  and  DFARS  requirements  for  consent  to 
subcontract  and  CPSRs,  the  DCMA  One  Book,  including  the  CPSR  Guidebook, 
for  performing  risk  assessments  and  conducting  CPSRs,  and  the  DCAA  CAM 
guidance  for  auditors. 

At  the  DCMA  field  offices,  we  used  the  following  methodology. 

•  To  determine  the  adequacy  of  planning  procedures,  we  evaluated  the 
criteria  used  in  33  risk  assessments  and  determined  whether  the  results 
were  used  to  plan  subsequent  CPSRs.  We  also  interviewed  ACOs  in 
regard  to  the  results  of  CPSRs  and  risk  assessments. 

•  To  evaluate  the  overall  adequacy  of  the  CPSRs,  we  reviewed  the  file 
documents  supporting  13  reviews  and  interviewed  analysts  and 
supervisors  to  determine  the  scope  of  review,  the  methods,  and 
techniques  used  in  conducting  the  CPSRs.  We  compared  the  resultant 
coverage  to  the  One  Book  requirements.  We  also  received  a 
demonstration  of  the  new  CPSR  software  program  and  discussed  the 
benefits  and  deficiencies  of  the  new  software  with  the  analysts. 

•  To  evaluate  the  adequacy  of  current  guidance,  we  interviewed  analysts 
and  supervisors  and  reviewed  superseded  DFARS  instructions  for 
performing  CPSRs. 

•  To  evaluate  the  adequacy  of  support  for  findings  in  the  CPSR  reports,  we 
reviewed  contractor-provided  data,  including  written  purchasing  policies 
and  procedures,  sales,  organizational  and  purchase  order  file  information; 
handwritten  question  sheets,  checklists  used  by  the  analysts  during  the 
on-site  review  of  purchase  order  files,  and  printouts  of  data  from  software 
used  during  the  review. 

•  To  evaluate  the  use  of  audit  support  services,  we  compared  the  scope  of 
review  specified  in  17  DCMA  requests. 

At  the  DCAA  field  audit  offices,  we  verified  whether  an  audit  was  performed  at 
the  request  of  DCMA  or  set  up  to  examine  the  contractor’s  purchasing  system 
internal  controls.  We  used  the  following  methodology  to  evaluate  the 
performance  of  the  audits. 
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•  To  evaluate  the  adequacy  of  audits  performed  in  response  to  DCMA 
requests,  we  reviewed  seven  audit  files  at  four  DCAA  field  offices, 
including  three  requests  that  DCAA  incorporated  into  an  expanded  audit 
of  the  contractor’s  purchasing  system  internal  controls.  We  reviewed  the 
work  papers  completed  to  respond  to  the  request. 

•  To  evaluate  the  adequacy  of  DCAA  audits  of  purchasing  system  internal 
controls,  we  reviewed  audit  files  for  documentation  of  planning,  risk 
assessments,  coordination  with  the  ACO  and  CPSR  teams,  and  extent  of 
reliance  on  work  performed  by  others.  We  used  a  quality  assurance 
checklist  developed  by  DCAA  for  evaluation  of  internal  control  systems 
audits. 

•  To  supplement  audit  documentation  and  determine  whether  unrecorded 
discussions  had  been  held  with  the  ACO  and  the  CPSR  teams,  we 
interviewed  auditors  and  supervisors.  We  also  contacted  ACOs  and 
analysts  per  telephone  concerning  meetings  or  conversations  to 
coordinate  the  audits  evaluated  at  the  DCAA  sites  visited. 

Use  of  Computer-Processed  Data.  We  did  not  rely  on  computer-processed  data 
for  the  evaluation  of  DCMA  performed  risk  assessments  and  CPSRs.  We  relied 
on  computer-processed  data  from  the  DCAA  Management  Information  System  to 
identify  field  audit  offices  perfonning  purchasing  system  reviews.  Although  we 
did  not  perform  a  formal  reliability  assessment  of  DCAA  computer-processed 
data,  we  determined  that  the  assignment  numbers,  dollars  examined,  and 
questioned  costs  for  the  selected  audit  assignments  generally  agreed  with  the 
computer-processed  data.  We  did  not  find  errors  that  would  preclude  use  of  the 
data  to  meet  the  evaluation  objectives  or  that  would  change  our  report 
conclusions. 

Universe  and  Sample.  We  judgmentally  selected  three  DCMA  field  offices  and 
eight  DCAA  audit  offices  from  three  regions.  The  DCMA  office  selections  were 
based  on  our  analysis  of  DCMA  workload  for  FYs  1998  through  2000  and 
proximity  to  DCAA  field  offices.  We  evaluated  33  of  55  risk  assessments  and  13 
of  76  CPSRs  completed  during  the  time  period  selected.  To  select  the  CPSRs,  we 
considered  the  type  of  review  performed  (comprehensive  or  followup)  and 
whether  the  review  resulted  in  ACO  approval  or  disapproval  of  the  contractor’s 
purchasing  system. 

The  DCAA  office  selections  were  based  on  an  analysis  of  data  extracted  from  the 
DCAA  Management  Infonnation  System  from  October  1,  1997,  through 
September  10,  2001.  We  were  unable  to  detennine  how  many  of  the  audits 
performed  during  the  period  were  requested  by  DCMA  and  how  many  DCAA 
initiated  because  all  audits  were  perfonned  under  the  same  DCAA  activity 
code,  12030.  However,  we  selected  six  field  audit  offices  with  large  audit 
assignments,  as  indicated  by  the  number  of  hours  recorded  in  the  Infonnation 
System,  and  two  offices  in  close  proximity  to  DCMA  with  several  small  audit 
assignments.  The  6  offices  had  completed  12  audits  of  purchasing  system  internal 
controls  from  October  1,  1997,  through  September  10,  2001,  which  we  evaluated. 
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We  also  obtained  copies  of  DCMA  audit  requests  from  two  audit  offices  in  close 
vicinity  to  DCMA  field  offices  and  visited  one  of  the  two  audit  offices.  The 
8  offices  had  received  17  DCMA  requests  for  audit  support  in  a  CPSR,  which  we 
reviewed. 

Evaluation  Dates  and  Standards.  We  performed  this  evaluation  from  May  2001 
through  July  2002,  according  to  standards  issued  by  the  Inspector  General  of  the 
Department  of  Defense. 


Management  Control  Program  Review 

The  DoD  Directive  5010.38,  “Management  Control  Program,”  August  26,  1996, 
and  DoD  Instruction  5010.40,  “Management  Control  Program  Procedures,” 
August  28,  1996,  require  the  Department  of  Defense  organizations  to  implement  a 
comprehensive  system  of  management  controls  that  provides  reasonable 
assurance  that  programs  are  operating  as  intended  and  to  evaluate  the  adequacy  of 
controls. 

Scope  of  the  Review  of  the  Management  Control  Program.  We  reviewed  the 
adequacy  of  DCMA  management  controls  over  CPSRs.  Specifically,  we 
reviewed  the  management  controls  for  maintaining  a  complete  and  accurate  CPSR 
database  and  ensuring  the  timely  and  appropriate  scheduling  of  reviews  based  on 
risk  assessments. 

We  reviewed  the  DCAA  management  controls  over  purchasing  system  internal 
control  reviews.  Specifically,  we  reviewed  management  controls  over  audit 
programs,  documentation  of  coordination  with  ACOs  and  CPSR  teams,  and  audit 
reporting. 

Because  we  did  not  identify  a  material  weakness,  we  did  not  assess  managements’ 
self-evaluations. 

Adequacy  of  Management  Controls.  Management  controls  were  adequate  in 
that  we  identified  no  material  management  control  weaknesses. 


Prior  Coverage 

No  prior  coverage  has  been  conducted  on  the  subject  during  the  last  5  years. 
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Appendix  B.  Comparison  of  Review  Coverage 


The  table  compares  the  planned  audit  coverage  in  the  DCAA  standard  audit 
program  to  observed  CPSR  coverage. 


DCAA  Audit  Procedures 

DCMA  CPSR  Team  Procedures 

Potential 

Overlap 

PRELIMINARY  AUDIT  EFFORT: 

Obtains  pertinent  contractor  data  from 
permanent  files  and  the  contractor.  Conducts 
entrance  conference. 

Obtains  pertinent  information  from  the 
contractor.  Conducts  entrance 
conference. 

Yes 

CONTROL  ENVIRONMENT: 

Reviews  organization  structure  and  overall 
control  environment  of  company,  drawing 
from  prior  reviews  and  experience  with 
contractor. 

Reviews  organization  structure, 
contractor’s  conflict  of  interest  form  and 
any  prior  CPSRs. 

Partial 

CONTRACTOR’S  RISK  ASSESSMENT: 

Obtains  understanding  of  contractor’s 
management  processes  in  handling  risk 
associated  with  the  purchasing  system. 

Reviews  management  reports,  internal 
audit  reports,  and  associated  policies  and 
procedures  such  as  rotation  of  buyers. 

Yes 

INFORMATION  &  COMMUNICATION: 

Obtains  understanding  of  contract  cost  data 
processes  and  traces  selected  transactions 
through  the  manual  or  electronic  data 
processing  system. 

Not  performed  by  the  CPSR  analyst. 

No 

MONITORING: 

Obtains  understanding  of  management  and 
supervisory  activities,  internal  audit 
involvement,  and  external  party  involvement 
in  monitoring  process. 

Reviews  management  reports,  and 
internal  audit  reports. 

Yes 

CONTROL  OBJECTIVES  AND 
ACTIVITIES: 

Reviews  training,  policies  &  procedures, 
purchase  orders  &  subcontract  clauses, 
purchase  file  data,  source  selection  process, 
pricing  &  negotiation,  subcontract  award  and 
administration. 

Reviews  policies  &  procedures  using 

FAR  checklist,  training  records  for 
purchasing  personnel,  purchase  order 
files,  certifications  and  forms,  source 
selection  data,  price  analysis  data,  and 
subcontract  awards. 

Yes 

ASSESSMENT  OF  CONTROL  RISK: 

Analyzes  and  summarizes  results  of  audit  and 
determines  audit  opinion  on  adequacy  of  the 
system. 

Analyzes  results  of  review  and 
determines  appro val/withheld 
recommendation  for  ACO. 

Yes 

SUMMARY  AUDIT  STEPS: 

Prepares  audit  report  for  ACO. 

Prepares  report  for  ACO. 

Yes 

19 


Appendix  C.  Report  Distribution 


Office  of  the  Secretary  of  Defense 


Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics 
Director,  Defense  Procurement 

Under  Secretary  of  Defense  (Comp troller)/Chief  Financial  Officer 

Other  Defense  Organizations 


Director,  Defense  Contract  Management  Agency 
Director,  Defense  Contract  Audit  Agency 

Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 


Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Anned  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 
House  Committee  on  Armed  Services 
House  Committee  on  Government  Reform 

House  Subcommittee  on  Government  Efficiency,  Financial  Management,  and 
Intergovernmental  Relations,  Committee  on  Government  Reform 
House  Subcommittee  on  National  Security,  Veterans  Affairs,  and  International  Relations, 
Committee  on  Government  Reform 

House  Subcommittee  on  Technology  and  Procurement  Policy,  Committee  on 
Government  Reform 
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Defense  Contract  Audit  Agency 
Comments 


DEFENSE  CONTRACT  AUDIT  AGENCY 
DEPARTMENT  OF  DEFENSE 

8725  JOHN  J.  KINGMAN  ROAD,  SUITE  2135 
FORT  BEL  VOIR,  VA  22060-6219 


PQA  225.4[D2001-OA-0106]  September  30,  2002 

MEMORANDUM  FOR  DEPUTY  ASSISTANT  INSPECTOR  GENERAL  FOR  AUDIT 

POLICY  AND  OVERSIGHT,  DEPARTMENT  OF  DEFENSE, 
INSPECTOR  GENERAL 

SUBJECT:  Response  to  Draft  Oversight  Report  on  DoD  Oversight  of  Contractor  Purchasing 
Systems  (Project  No.  D2001-OA-0106) 

Thank  you  for  the  opportunity  to  respond  to  the  subject  report.  We  have  limited  our 
response  to  the  report  recommendation,  restated  below,  as  it  relates  to  DCAA. 


DoDIG  Report  Recommendation  No.  1 

We  recommend  that  the  Director,  Defense  Contract  Management  Agency  and  the 
Director,  Defense  Contract  Audit  Agency  jointly  reengineer  their  processes  and  procedures  for 
performing  reviews  and  audits  of  contractor  purchasing  systems  to  establish  joint  planning  and 
coordination  processes  that  will  more  effectively  meet  the  needs  of  both  organizations,  avoid 
duplication,  and  effectively  leverage  the  resources  of  both  organizations.  The  review  processes 
and  procedures  should  address  the  specific  deficiencies  identified  in  this  report. 

DCAA  Response 

Concur  in  principle.  DCAA  in  coordination  with  DCMA  will  re-evaluate  its  planning 
and  coordination  processes  for  conducting  its  audits  of  contractors’  purchasing  systems  and 
related  internal  controls  to  ensure  the  processes  will  facilitate  sufficient  audit  coverage  and  avoid 
duplication.  DCAA  will  issue  a  Memorandum  for  Regional  Directors  (MRD),  after  coordination 
with  DCMA,  providing  audit  guidance  to  the  field  auditors  on  the  enhanced  coordination  and 
planning  process.  We  will  issue  this  MRD  by  January  31,  2003.  The  MRD  will  include  (1)  a 
reminder  for  auditors  to  coordinate  with  DCMA  when  initiating  a  purchasing  system  review  and 
(2)  a  requirement  for  auditors  to  document  the  results  of  this  coordination  in  the  working  papers. 
We  will  make  any  necessary  revisions  to  the  DCAA’s  standard  audit  program,  Reviewing  and 
Reporting  on  Contractor  Purchasing  System  and  Related  Internal  Controls ,  for  the  April  2003 
APPS  update.  Necessary  revisions  to  the  guidance  contained  in  the  DCAA  Contract  Audit 
Manual  will  be  made  for  the  July  2003  update. 


PQA  225.4[D2001-OA-0106] 

SUBJECT:  Response  to  Draft  Oversight  Report  on  DoD  Oversight  of  Contractor  Purchasing 
Systems  (Project  No.  D2001-OA-0106) 


Questions  regarding  this  memorandum  should  be  directed  to  Mr.  Ken  Saccoccia,  Quality 
Assurance  Division  at  (703)  767-2250. 


Fc*  Lawrence  P.  Uhlfelder 
Assistant  Director 
Policy  and  Plans 
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Defense  Contract  Management  Agency 
Comments 


DEFENSE  CONTRACT  MANAGEMENT  AGENCY 

6350  WALKER  LANE,  SUITE  300 
ALEXANDRIA,  VA  22310-3241 


OCT  1  2002 


DCMA-OCS 


MEMORANDUM  FOR  ASSISTANT  INSPECTOR  GENERAL,  POLICY  AND 
OVERSIGHT,  DEPARTMENT  OF  DEFENSE 

SUBJECT :  Response  to  DoD  IG  Draft  Report  on  DoD  Oversight  of  Contractor 
Purchasing  Systems,  Project  No.  D2001-OA-0106 

This  is  in  response  to  the  Department  of  Defense  Inspector  General  audit  report, 
subject  as  above.  The  Defense  Contract  Management  Agency  comments  to  the  findings 
and  recommendation  are  attached.  Please  refer  any  questions  you  may  have  to 
Ms.  Penelope  A.  Langlois,  email:  g)_angl.oi,s@hq,dcma,miJ.,  telephone,  (703)428-0963. 


ROBERT  W.  SCHMITT 

Executive  Director 

Contract  Management  Operations 

Attachment 


SUBJECT :  DoDIG  Draft  Report,  DoD  Oversight  of  Contractor  Purchasing  Systems 

(Project  No.  D20010A-0106) 

FINDING  A:  Planning  and  Coordination  of  Reviews.  Based  on  our  evaluation  of  13 
DCMA  reviews  and  12  DCAA  audits,  planning  and  coordination  of  reviews  of  contractor 
purchasing  systems,  including  the  sharing  of  annual  plans  and  review  guides,  and  the  use 
of  audit  services,  needed  improvement.  Although  the  DCMA  CPSRs  and  DCAA  audits 
of  purchasing  system  internal  controls  have  different  objectives,  the  reviews  to  a  large 
extent  covered  the  same  areas.  However,  the  agencies  did  not  share  annual  plans,  and  the 
DCMA  guidance  did  not  stress  the  importance  of  auditor  participation  in  joint  reviews  to 
avoid  duplication.  The  DCMA  requested  only  limited  audit  support  from  DCAA  at 
locations  where  DCAA  audited  significant  contractor  dollars.  Further,  of  11  DCAA 
audits  that  required  coordination  with  the  ACO  or  the  CPSR  team,  6  did  not  include 
adequate  information  to  explain  the  extent  of  coordination  attempts.  The  DCAA  standard 
audit  program  emphasized  the  need  to  coordinate  with  the  ACO  in  an  introductory  note 
that  does  not  instruct  the  auditor  to  document  all  coordination  efforts.  The  conditions 
occurred  because  DCMA  and  DCAA  do  not  have  joint  planning  processes.  Excellent 
examples  of  effective  planning  and  coordination  were  demonstrated  at  three  contractor 
facilities.  Inadequate  coordination  may  result  in  overlapping  reviews  and  inefficient  use 
of  resources. 

DCMA  comments:  CONCUR.  DCMA  Directive  1,  Chapter  7.4,  Contractor  Purchasing 
System  Review  (CPSR)  specifies  in  paragraph  3.4  that  “A  coordinated  team  approach, 
which  promotes  the  sharing  of  data  and  reduction  of  duplicate  effort,  is  encouraged.” 
Additionally,  the  same  paragraph  discusses  the  CPSR  team  members  that  include  DCAA 
auditors  to  either  participate  or  provide  input.  In  addition,  annual  schedules  of  CPSR’s 
are  required  to  be  shared  with  DCAA  (reference  DCMA  Directive  1,  Chapter  7.4, 
Paragraph  4  6.3.4).  Because  adequate  instructions  and  guidance  are  currently  in  place,  an 
Information  Memorandum  will  be  issued  to  emphasize  the  importance  of  adhering  to  the 
DCMA  Directive  1  guidance. 

Disposition: 

( X)  Action  is  ongoing.  ECD:  November  30,  2002 

(  )  Action  is  considered  complete. 
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SUBJECT:  DoDIG  Draft  Report,  DoD  Oversight  of  Contractor  Purchasing  Systems 

(Project  No.  D20010A-0106) 

Recommendation  A:  We  recommend  that  the  Director,  Defense  Contract  Management 
Agency  and  the  Director,  Defense  Contract  Audit  Agency  jointly  reengineer  their 
processes  and  procedures  for  performing  reviews  and  audits  of  contractor  purchasing 
systems  to  establish  joint  planning  and  coordination  processes  that  will  more  effectively 
meet  the  needs  of  both  organizations,  avoid  duplication,  and  effectively  leverage  the 
resources  of  both  organizations.  The  review  processes  and  procedures  should  address  the 
specific  deficiencies  identified  in  this  report. 

DCMA  Comments:  CONCUR.  DCMA  recognizes  the  need  for  joint  planning  and 
coordination  processes.  Additionally,  DCMA  recognizes  that  DCAA  auditors  are 
expected  to  exercise  independent  judgment  in  planning  the  type  and  extent  of  audit 
testing  sufficient  to  render  unqualified  audit  opinions,  but  will  consider  and  address 
special  areas  of  concern  or  informational  needs  of  requesters.  (See  DCAA  Contract 
Audit  Manual  (CAM),  Section  1-403. lb.)  The  DCMA  Directive  1,  Chapter  7.4,  and  the 
DCAA  CAM  provide  sufficient  procedures  for  planning  and  coordination  of  reviews. 
DCMA  will  issue  an  Information  Memorandum  to  re-emphasize  the  need  for  such 
coordination  when  performing  a  CPSR. 

Disposition: 

(  X)  Action  is  ongoing.  ECD:  November  30,  2002 
(  )  Action  is  considered  complete. 
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SUBJECT:  DoDIG  Draft  Report,  DoD  Oversight  of  Contractor  Purchasing  Systems 

(Project  No.  D20010A-0106) 

Finding  B:  Performance  of  Reviews.  Although  the  DCMA  PSAs  adequately  covered 
prescribed  review  areas  and  supported  reported  findings,  risk  assessments  and  the 
documentation  of  work  preformed  during  the  reviews  could  be  improved.  The  conditions 
occurred  because  the  DCMA  One  Book  guidance  was  inadequate.  In  addition,  auditors 
relied  on  work  performed  by  the  CPSR  teams  without  sufficient  justification,  which  was 
not  in  compliance  with  GAGAS  and  DCAA  audit  guidance. 

As  a  result  of  inconsistent  risk  assessments,  reviews  may  not  be  scheduled  when  needed 
or  unnecessary  reviews  may  be  performed.  Auditor  noncompliance  with  GAGAS  when 
relying  on  work  performed  by  others  lessened  the  usefulness  of  the  audit  report. 

DCMA  Comments:  CONCUR:  The  DCMA  Directive  1,  Chapter  7.4  is  being  re-written. 
The  information  required  in  the  performance  of  a  risk  assessment  is  contained  in  the 
DCMA  Directive  1  Chapter  and  the  FAR.  This  information  will  be  identified  and 
referenced  within  the  aforementioned  policy. 

Disposition: 

(X)  Action  is  ongoing.  ECD:  November  30,  2002 
(  )  Action  is  considered  complete. 
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SUBJECT:  DoDIG  Draft  Report,  DoD  Oversight  of  Contractor  Purchasing  Systems 

(Project  No,  D20010A-0106) 

Recommendation  B.  1 :  We  recommend  that  the  Director,  DCMA  clarify  guidance  on  risk 
assessments.  At  a  minimum,  the  guidance  should: 

a.  Clearly  differentiate  between  risks  to  consider  for  annual  planning  purposes 
and  the  risks  to  consider  when  planning  the  scope  of  a  specific  review; 

b.  Advise  that  a  high  risk  factor  should  be  assigned  until  adequate  information 
exists  to  support  a  medium  or  low  risk;  and, 

c.  Amend  instructions  to  base  the  identification  of  key  processes  on  an 
understanding  of  the  contractor’s  system  rather  than  four  specific 
requirements. 

DCMA  Comments:  CONCUR,  (a)  DCMA  recognizes  that  there  is  a  disconnect  between 
risk  planning  and  risk  rating.  Although  all  the  information  is  contained  between  DCMA 
Directive  1  and  the  CPSR  Guide,  it  is  not  easily  understood.  A  revision  of  the  One  Book 
will  correct  this  situation,  (b)  The  suggestion  to  assign  a  high  risk  factor  until  adequate 
information  exists  to  support  a  medium  or  low  risk  is  tantamount  to  scheduling  a  CPSR 
for  a  contractor  where  no  information  exists  to  make  a  risk  determination.  DCMA  will 
ensure  that  DCMA  Directive  1  provides  instructions  that  will  allow  the  performance  of  a 
CPSR  for  qualifying  contractors  when  lack  of  information  does  not  allow  for  a  risk  rating 
to  be  assigned,  (c  )  Key  processes  listed  in  DCMA  Directive  1,  Chapter  7.4,  Paragraph 
4.6. 1.3  will  be  revised  to  more  appropriate  processes. 

Disposition: 

(  X)  Action  is  ongoing.  ECD:  November  30,  2002 
(  )  Action  is  considered  complete. 
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SUBJECT :  DoDIG  Draft  Report,  DoD  Oversight  of  Contractor  Purchasing  Systems 

(Project  No.  D20010A-0106) 

Recommendation  B.2:  We  recommend  that  the  Director,  DCMA  instruct  analysts  to 
improve  documentation  in  files  in  sufficient  detail  to  enable  a  reviewer  to  understand  the 
methods,  techniques,  and  criteria  used  to  support  the  findings  without  the  personal 
assistance  of  the  analyst. 

DCMA  Comments:  CONCUR.  An  Information  Memorandum  will  be  issued  to  re¬ 
emphasize  the  need  for  adequate  and  proper  documentation  of  files. 


Disposition: 

(  X)  Action  is  ongoing.  ECD:  November  30,  2002 
(  )  Action  is  considered  complete. 
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Team  Members 

The  Deputy  Assistant  Inspector  General  for  Audit  Policy  and  Oversight,  Office  of 
the  Assistant  Inspector  General  for  Auditing  of  the  Department  of  Defense 
prepared  this  report.  Personnel  of  the  Office  of  the  Inspector  General  of  the 
Department  of  Defense  who  contributed  to  the  report  are  listed  below. 

Wayne  C.  Berry 
Madelaine  E.  Fus field 
Patricia  A.  Bartron 
Krista  S.  Gordon 
Ashley  A.  Harris 


